Tracing origin of suspicious file

Discussion in 'malware problems & news' started by Dan Tidaback, Apr 9, 2007.

Thread Status:
Not open for further replies.
  1. Dan Tidaback

    Dan Tidaback Registered Member

    Joined:
    Apr 9, 2007
    Posts:
    1
    Hello! I am running XP Pro. Something is generating the same file [which appears to be a program, in Notepad] over-and-over at startup. It can only be deleted in Safe Mode [access denied in normal windows]. "~DF123.tmp" is an example. The number in the filename changes, but the "DF*.tmp" is always the same. In file Properties, there is no info on the app it is associated with or the company of origin. It is listed as "unknown application". Is there any method I can use to trace the origin of this file to the app that is generating it? Thanks.
     
  2. MICRO

    MICRO Registered Member

    Joined:
    Jun 8, 2004
    Posts:
    1,020
    I've had the same thing for years Dan, but not in Notepad, they are in the TEMP folder in my case - years ago I asked here too, but didn't get a reply, so I then sent an Email to Javacool because I THOUGHT they began when
    I installed Spywareguard, no reply, - still don't know who they belong to, but I run
    Steve's 'Index.Dat Suite' every night, it loses all bar two that it can't remove and empties those two back to 3.00 kb's when I restart the following
    morning.
    No security App. has ever mentioned them.

    Shall be interested to see if you get a reply with knowledge re. who owns.

    Regards.
     
  3. StevieO

    StevieO Registered Member

    Joined:
    Feb 2, 2006
    Posts:
    1,067
    Right now i have two similar files in my Windows\Temp folder. ~DF4672.TMP and ~DF72F9.TMP one is 3kb the other is 3.5kb. These get flushed out and renewed every day on rebooting. For safety purposes this is always after i have gone offline and physically disconnected from the line.

    I then close down several running processes, including ZoneAlarm, which i believe they might belong to, and use several cleaners such as MruBlaster and CCcleaner. The ~DFxxxxTMP files then get cleaned along with all the others in the Temp folders. If you don't close them down, then you will get errors due to the files being in use.

    I delete by hand into the Recycle bin, fwpktlog.txt,fwdbglog.txt,tvDebug.log,Username.ldb. Some of the cleaners will automatically delete a few of those, but not all. The Recycle bin then gets cleaned out at the same time with all the above full cleaning.

    I just had a look at these two files with FileAlyzer and noticed several strings relating to several forums i had viewed, and a file i had also downloaded today, plus an LBDX reference. It's mentioned in this ZA thread http://www.sysopt.com/forum/archive/index.php/t-5508.html

    FileAlyzer is free http://www.safer-networking.org/en/filealyzer/index.html


    StevieO
     
    Last edited: Apr 9, 2007
  4. herbalist

    herbalist Guest

    Those types of files are usually created by 3rd party apps that are running on your system at the time, usually legitimate ones. You can't delete it as long as the process is running, and they aren't always deleted when the app is closed. Several apps on my PC create such files. All the ones I've run into are harmless. If you can shut down the 3rd party apps, try deleting them afterwards. Then you could leave the folder open and restart them one at a time and find which ones make them.
    Rick
     
  5. Seer

    Seer Registered Member

    Joined:
    Feb 12, 2007
    Posts:
    2,068
    Location:
    Serbia
    Hello Dan Tidaback :)

    I wonder if Sysinternal's File Monitor could help in tracing the origin. You have the option to filter the monitoring and confine it to c:\temp i.e. Try that.
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.